Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Microsoft Windows Zero-Day Found in Task Scheduler

A Windows task scheduler API function does not check permissions – so any potential local bad actor can alter them to gain elevated privileges.

A zero-day flaw recently disclosed in Microsoft’s Windows task scheduler could enable a bad actor to gain elevated privileges. The flaw, which was disclosed Monday on Twitter, does not yet have a patch.

The issue exists in the Advanced Local Procedure Call (ALPC) interface of Microsoft Windows task scheduler in 64-bit operating systems (Windows 10 and Server 2016). Essentially, the API function of ALPC does not check permissions, so that any potential local bad actor can alter them.

“We have confirmed that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems,” according to a note issued Monday by CERT. “Compatibility with other Windows versions may be possible with modification of the publicly-available exploit source code.”

The flaw was first disclosed Tuesday by Twitter user SandBoxEscaper, who also linked to a GitHub page with the PoC for the flaw.

Here is the alpc bug as 0day: https://t.co/m1T3wDSvPX I don't fucking care about life anymore. Neither do I ever again want to submit to MSFT anyway. Fuck all of this shit.

Exploit Breakdown

Researcher Kevin Beaumont confirmed the vulnerability with a breakdown of the exploit: “This exploit misuses SchRpcSetSecurity to alter permissions (I wouldn’t recommend running it a live system by the way) to allow a hard link to be created, and then calls a print job using XPS printer (installed with Windows XP Service Pack 2+) to call the hijack DLL as SYSTEM (via the Spooler process).”

Task scheduler is a function of Microsoft Windows that gives users the ability to schedule the launch of programs at pre-determined times. Its ALPC interface is essentially a process communication facility used by Windows OS components for message-transferring.

One part of this interface, SchRpcSetSecurity is open for access, so that anyone can set an arbitrary discretionary access control list, meaning they can set local file permissions.

The flaw does come with limitations – in order to gain elevated privileges, a bad actor would need to be local and exploitation needs prior code execution. Also, the exploit would need modifications to work on OSes other than 64-bit (i.e., 32-bit OS). “Also it hard-codes prnms003 driver, which doesn’t exist on certain versions (e.g. on Windows 7 it can be prnms001),” said Beaumont.

The problem also was confirmed by vulnerability analyst Will Dormann, who said the PoC works for a “fully-patched 64-bit Windows 10 system.”

I've confirmed that this works well in a fully-patched 64-bit Windows 10 system. LPE right to SYSTEM! https://t.co/My1IevbWbz

The flaw is rated between 6.4 to 6.8 on the CVSS metrics system, which means that it is “medium” severity.

CERT/CC said it is currently unaware of a practical solution to this problem. Microsoft, for its part, told Threatpost its standard policy is to update during its regularly-scheduled Patch Tuesday release.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.